Enterprise SSO setup
Set up Enterprise SSO (SAML or OIDC) so admins sign in through your identity provider, enforce SSO, and auto-provision (JIT) new teammates.
Written By Robi Rohumaa
Last updated 3 days ago
Overview
Enterprise SSO lets your admins sign in to Featurebase through your company identity provider (IdP), using SAML 2.0 or OpenID Connect (OIDC). You connect your provider once, then choose whether to enforce SSO for every admin and whether new teammates are created automatically on their first SSO login.
This guide covers admin sign-in. To sign your end-users into your Feedback Portal and widgets, see Web portal single sign-on (SSO) setup instead.
Note: Enterprise SSO is available on the Enterprise plan and is switched on by our team first.
Supported identity providers
Enterprise SSO works with any identity provider that supports SAML or OIDC. Supported providers include:
Okta
Microsoft Entra ID (formerly Azure AD)
Google Workspace
OneLogin
Ping Identity (PingFederate and PingOne)
JumpCloud
Auth0
CyberArk
Duo
Keycloak
Microsoft AD FS
Oracle
Rippling
Salesforce
VMware Workspace ONE
Cloudflare
ADP
Login.gov
Clever
ClassLink
CAS
LastPass
miniOrange
NetIQ
Shibboleth
SimpleSAMLphp
Don't see your provider? You can connect any other SAML or OIDC identity provider with a custom connection. The list of supported providers grows over time, so reach out if you're unsure whether yours is covered.
Before you start
You need:
The Enterprise plan, with Enterprise SSO enabled by our team
A role with the Manage SSO permission
Admin access to your identity provider
At least one company domain you can verify
If the page shows that setup needs to be enabled by our team first, contact us from that page and we'll turn it on.
Verify your domain
Featurebase uses verified domains to recognize which email addresses belong to your company. You need at least one verified domain before you can enforce SSO. If your team signs in with more than one email domain, add each of them.
Under Enterprise identity, click Manage domains.
Add your company domain and follow the steps shown in the Featurebase Enterprise Identity Portal.
Connect your identity provider
Under Enterprise identity, next to Identity connection, click Manage identity connection.
Complete the SAML or OIDC setup in the Featurebase Enterprise Identity Portal, then return to Featurebase.
Confirm the Single sign-on row shows Connected.
Test sign-in with a non-owner admin before you enforce SSO.
Make sure your identity provider sends each user's email address. First and last name are used for display and fall back to the email address if they're missing.
How admins sign in with SSO
Once your connection is active, admins sign in from the Featurebase login page:
On the login page, choose Continue with SSO.
Enter your work email.
You're redirected to your identity provider to authenticate, then back to Featurebase.
If SSO is enforced, a non-owner admin who tries to sign in with a password is redirected to your identity provider automatically. Social logins (Google, GitHub, and Discord) are blocked with a message to sign in through SSO instead.
Enforce SSO for admins
Turn on Enforce SSO for admins to require every admin except the workspace owner to sign in through your connection.
Before you can enforce SSO:
At least one company domain is verified
Your SSO connection is active and you've tested a sign-in
To turn it on, toggle Enforce SSO for admins and type ENFORCE SSO to confirm.
When SSO is enforced:
Every non-owner admin must sign in through your identity provider
Email, password, and social login stop working for those admins in this workspace
Existing non-SSO admin sessions are invalidated immediately, so those admins sign in again through SSO
The workspace owner keeps emergency access through their password or a social login
Avoid getting locked out
The workspace owner can always sign in with their password or a social login (Google, GitHub, or Discord), even when SSO is enforced. Treat the owner account as your emergency way back in.
Before you enforce SSO, test a full sign-in with a non-owner admin and confirm the owner can still sign in without SSO.
If your identity provider goes down or the connection breaks, the owner can turn off Enforce SSO for admins to restore password and social login for every admin. There's no separate per-admin bypass, so this is your recovery path.
Auto-provision new members
Turn on Auto-provision new members on SSO login to let approved teammates join the workspace the first time they sign in through SSO. This is also called just-in-time (JIT) provisioning. Set Default role for new SSO members to control the role they get on that first sign-in.
If auto-provisioning is off, only teammates who were already invited can sign in with SSO.
Note: If Directory sync is enabled, its group rules take over a member's role and seat from the first sign-in onward.